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Description 

[0001] This invention relates to methods and devices 
for the issue and negotiation of electronic negotiable or 
quasi negotiable documents (END), and is particularly 
relevant to systems which are sufficiently secure in open 
environments. The purpose is to replace paper docu- 
ments such as cash, bank cheques and bills of lading 
with freely-transmissible electronic data. 
[0002] The goal to achieve is that an electronic docu- 
ment - or rather, an electronic realisation of a document 
- at any particular time can be proved to be the (tempo- 
rary) property of a particular user. This is clearly required 
for what is known as negotiable or quasi-negotiable doc- 
uments. The most interesting examples in trading are 
Bills of Lading, apart from cash and cheques. The main 
requirement is thus that these documents be unforgea- 
ble. 

[0003] With ordinary paper documents, the problem 
is solved by giving the original of a document certain 
physical attributes that are difficult to reproduce. With 
this precaution, it makes sense to speak of the original 
of a document, and define the owner simply as the per- 
son holding the original. An electronic (quasi)-negotia- 
ble document will in the following be denoted by END. 
[0004] The important property required is apparently 
that of uniqueness. The problem is to find a suitable at- 
tribute on an electronic document which somehow 
would give it the property of uniqueness, explicitly or im- 
plicitly. 

[0005] Obviously, the concept of an original does not 
make sense for electronic documents, and other (e.g. 
cryptographic) methods must ensure that the owner of 
a particular electronic document can be identified. One 
question is to what extent this will involve a trusted third 
party (TTP). 

[0006] Any document of some value must initially be 
generated by someone, who will guarantee this value. 
This requires the proof of, or non-repudiation of, origin 
service, which is a well known art and realized using dig- 
ital signatures. 

[0007] The question now is how to develop a protocol 
to cover the situation, where an END, once issued, is to 
change hands. The main problem is to ensure, that the 
new owner is uniquely identified, or, in other words, that 
the seller cannot circumvent the measures and sell the 
same END to two different entities. 
[0008] It is now generally recognized that this could 
only be achieved using cryptographic techniques, in the 
sense that violation will be detected. Further, it is nec- 
essary to use tamper resistant document carriers, such 
as smart cards (plastics cards containing an integrated 
circuit) or workstations. "Tamper-proof" or "tamper-re- 
sistant" means that the functionality of the device cannot 
be changed, and that any attempt to do so can be readily 
detected; in many cases, the device would simply be 
destroyed by tampering. 

[0009] One obvious solution would be to introduce a 



trusted third party (TTP) to register at all times the pos- 
session of a particular document, but this would leave 
the TTP with heavily Tebility burdens, and is not a pop- 
ular solution. 

5 [0010] Another solution would be to represent each 
END with a unique chip card, but transfer of the END 
would necessitate physical transfer of the chip card, 
which in many cases would be impractical. 
[0011] The only other way to provide uniqueness is 

10 physically to prohibit free copying. This would involve 
tamper resistance to realize a protected communication 
with restricted functionality, if possible. 
[0012] It is known to provide an encryption technique 
which ensures uniqueness in the transfer of data be- 

is tween two devices. Such a technique is described for 
example in "New Directions in Cryptography", W. Diffie 
and M. Hellman, IEEE IT 22 (1976), 644-654. Briefly 
each device stores a unique pair of codes known as the 
public key and the secret key. These constitute a set of 

20 matching keys with an underlying algorithm. Such algo- 
rithms include RSA and DSA, which are described re- 
spectively in U. S. patents 4 405 829 (R. Rivest, A. 
Shamir and L. Adieman) and 5 231 668 ("Digital Signa- 
ture Algorithm", by D. Kravitz). The secret key S can be 

25 used to provide in effect a digital signature S(D) on input 
data D. The corresponding public key P can then be 
used to verify that the input for S(D) must have been S 
and D. Data from a seller's document carrier, for exam- 
ple, can be encrypted using the public key P of the buy- 

30 er's document carrier, transmitted to the buyer, and then 
decrypted using the buyer's secret key, if the public key 
scheme is of encryption type. 

[0013] The basic principle for achieving uniqueness 
here is simple but fundamental: A message encrypted 

35 under a key known to only one entity is unique, as long 
as it is encrypted, and establishes undisputable owner- 
ship by the mere fact that it will only be useful to the 
owner of the key. Only the person in possession of the 
right key can make any use of the document, which in 

40 effect is the property of uniqueness. 

[0014] On the other hand, the only way the rightful 
owner can verify that the right END has been encrypted 
by his key is by decrypting it. But this will give him access 
to the message and he may subsequently be able to 

45 "sell" it to two different persons by encrypting it with their 
respective keys. A purpose of the invention is to provide 
a way of avoiding this. This requires tamper resistant 
hardware, perhaps a chipcard, or a hardware protected 
PC. In the following, this hardware and equivalent hard- 

so ware will be called the DOC-carrier, or D-C when abbre- 
viated. Its properties will be described in detail below 
[0015] "Universal Electronic Cash" by Okamoto and 
Ohta and published in Advance in Cryptology - CRYPTO 
'91. Proceedings Santa Barbara, CA, USA pages 324 - 

55 377 (Springer Verlag, Germany) describes an electronic 
cash system in which a small amount of memory is re- 
quired to represent one piece of electronic cash. The 
system also allows the seller to divide the cash balance. 
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[001 61 The present invention provides a method issu- 
ing a END as set out in accompany claim 1 . a tamper- 
resistant document carrier as set out in accompanying 
claim 9 and a method of negotiating a END between 
buyer and seller as set out in accompanying claims 12 
and 23. 

[0017] The invention provides a system with the fol- 
lowing properties: 

[0018] An END (or at least the digital signature com- 
ponent of the END) is generated electronically, for in- 
stance by using non-repudiation of origin, in a tamper 
resistant unit and then loaded onto a DOC-carrier (if not 
the same). As mentioned, this requires some care. It is 
essential that the signature thus appended to provide 
the non-repudiation is never disclosed. (It would of 
course suffice to represent the END by a hash value and 
the generating digital signature inside the DOC-carrier 
if storage is a problem). The message itself does not 
need to be protected. 

[0019] More specifically, an END (or at least the sig- 
nature component) is transferred from one DOC-carrier 
to another, through a public unprotected network, in 
such a way that 

1 . It can only be transferred as a meaningful docu- 
ment to one particular DOC-carrier, which neverthe- 
less can be chosen from any number of registered 
DOC-carriers 

2. Recovery is possible, if the transfer is unsuccess- 
ful 

3. The protocol cannot be completed by any other 
device than an authorized DOC. 

[0020] The system should be completely, open to 
communication between any two DOC-carriers, without 
bilateral agreements. 

[0021] Accordingly, the invention provides a method 
of issuing an END, as defined in Claim 1 below, and a 
document carrier suitable for use with such a method. 
The invention also provides methods, as defined in 
Claims 1 2 and 1 3, of negotiating an END between a sell- 
er and a buyer; and a method as defined in Claim 23 of 
splitting an END e.g. an electronic cheque or cash. 
[0022] In order that the invention may be better un- 
derstood, an embodiment of the invention will now be 
described, with reference to the accompanying draw- 
ings, in which: 

Figure 1 is a diagram illustrating, by way of an over- 
view, the negotiation of an END between two doc- 
ument carriers, showing the main components of 
the document carriers; 

Figure 2 is a schematic flow diagram of the gener- 
ation of an END; and 



Figure 3 is a schematic flow diagram of the negoti- 
ation of an END. 

[0023] Each DOC-carrier "possesses" a public key 
5 pair. The secret key of this pair must not even be known 
to the owner of the DOC-carrier. It would be required to 
realize this in such a way that not even the system pro- 
vider knows the DOC-secret keys. Thus the secret key 
must be generated on the DOC-carrier and never leave 
10 it unprotected. The DOC-carrier itself should be freely 
available, but stationary, and certified by some Certifi- 
cation Authority along the lines of the X, 509 security 
architecture. 

[0024] The END consists of the information as repre- 
sented in an electronic message, and the corresponding 
digital signature, calculated by means of the secret key 
of the issuer and - typically - a hash value of the elec- 
tronic message. The format could for instance be a spe- 
cial EDIFACT message for the electronic message, 
whereas the signature will be calculated and stored se- 
curely on the DOC-carrier. 

[0025] Now, the problem is that this shall only be re- 
leased through a selling process to another DOC-carri- 
er. So the question is, how can one DOC-carrier identify 
another? 

[0026] The most attractive solution seems to be the 
following approach: A trusted party called the Certifica- 
tion Authority CA, authorizes all DOC-carriers in the fol- 
lowing manner: The public key of the CA is installed on 
the DOC-carrier, as well as the secret DOC-carrier key, 
in a ROM, and in such a way that the secret key cannot 
be disclosed. Moreover, when a document, or rather the 
accompanying key protected signature is entered on the 
DOC-carrier, the DOC-carrier software must ensure that 
it can only be realised again encrypted under a public 
key certified by the C A secret key (and verified by means 
of the corresponding public key on the DOC-carrier). 
The point behind this is that it will prevent the use of a 
non-authorized DOC-carrier to get access to the vital 
signature on an END, which defines that particular ne- 
gotiable electronic document. In particular this encrypt- 
ed message is useless excepted when imported into the 
DOC-carrier holding the corresponding secret key. It is 
thus important to realize that the value of the negotiable 
document is represented by the digital signature of the 
issuer. 

[0027] Furthermore, and this is an essential property, 
such an encryption of a particular END on an individual 
DOC-carrier can take place only once, or rather, once a 
public key has been selected, it is impossible at any later 
stage to go through the same procedure with another 
public key. 

[0028] Such a system would solve the problem of 
uniqueness in general - provided it works in practice. 
The difficult part, which also requires a careful analysis, 
is to recover from failure. In other words, the problem 
has been reduced to that of availability. 
[0029] First of all the DOC-carrier may go down. The 
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only way to recover from that is to have the same infor- 
mation on a backup DOC-carrier. This requires that a 
protocol is developed, which ensures that the back-up 
card cannot be used to sell the END to a different entity. 
Another possibility is to demand that whenever a back- 
up copy is required, the CA must be contacted. 
[0030] Secondly, something may go wrong with the 
encryption in a selling process. This will be easy to re- 
cover from, by encrypting once again under the same 
public key. The use of certificates will ensure with ex- 
tremely high probability that the public key used for en- 
cryption is correct. 

[0031] Thirdly, something may go wrong in the data 
transmission from one DOC-carrier to another. But this 
is handled by re-transmission. The encrypted version of 
an END needs not be protected. In particular, a totally 
insecure network may be used to exchange the encrypt- 
ed END. 

[0032] Finally, something may go wrong in the receiv- 
ing DOC-carrier This may best be handled by a back- 
up card, with special procedures for recovery. 
[0033] The functionality of the DOC-carrier is ex- 
plained in Figure 1. With the notation of the discussion 
above, this gives an overview of the design of a DOC- 
carrier. 

[0034] The general principle of the protocol between 
two DOC-carriers A and B is represented in the following 
sequence, the numerical stages 1 to 6 of which are 
shown in Figure 1: 

1 . The certificate of B is fonwarded to A 

2. A verifies the certificate of B 

[0035] If this is successful. 

3. A encrypts the relevant electronic END (or rather, 
the defining signature) with the public key of B and 

4. forwards this to B 

5. B decrypts with its secret key Sb and is now the 
owner of the END 

6. B stores the END (or rather, the defining signa- 
ture) as DOC 1. 

[0036] The main content of DOC 1 may be transmitted 
separately from one workstation to another; it does not 
matter that there may be insufficient memory in the 
DOC-carrier for the whole of DOC 1 , because it is only 
necessary to store and encrypt the signature portion. 
[0037] The following is a more detailed description of 
the generation and negotiation of an END. 
[0038] The basic protocol for issuing an END and for 
negotiating that END from its original document carrier 
to subsequent document carriers is described in the an- 
nexed Tedis II B7 document. This gives examples of a 
document carrier in the form of a chip card containing 
memory and a program, in a tamper-resistant format. 
This document also describes the role of a Trusted Third 
Party in the certification of the document carriers includ- 



ing their original programming with public-secret key 
pairs, and the tracing of negotiations between document 
carriers. One important benefit of the present invention 
is that the role of the Trusted Third Party is minimized, 
5 in that it is not necessarily involved directly in the per- 
formance of a negotiation of an END between buyer and 
seller. In other words, no third party need be involved in 
the actual negotiation protocol. It is also an important 
benefit of the invention that each END can be negotiated 
only from one document carrier to one other document 
carrier, and only once (the system is arranged that the 
seller can, in future, receive the END back again, but 
only as a result of a genuine transaction: the system 
achieves this by counting the number of transactions for 
each END, and this is described in more detail below). 
[0039] In this description, the party, such as a bank, 
which issues the END, is known as the issuer The is- 
suer has a public-secret key pair, of which the secret 
key is used to sign the END. The END consists of a bit 
string which can be read by conventional coding rules, 
such as ASCII characters written in English. The END 
is not complete until it is signed by the issuer As indi- 
cated above, a public-secret key pair consists of a set 
of matching keys P and S with an underlying algorithm. 
A Trusted Third Party initializes the document carriers 
of the system, and each document carrier is initialized 
with a public-secret key pair for signature generation 
and verification, and a public-secret key pair for encryp- 
tion and decryption, unique to the device. However, the 
two public-secret key pairs can be identical, i.e. can be 
used for both purposes. This depends partly on whether 
the document-carrier is used for issuing as well as for 
negotiation: the public key pair for issuing can be differ- 
ent from that for negotiation. Each document carrier is 
identified by a unique device number or identifier, re- 
ferred to as the No (D-C). 

[0040] Each document carrier is given to one legal 
person, called the owner The buyer of an END is the 
document carrier in current possession of the END. The 
seller is the document carrier which is to take position 
of the END from a buyer through the protocol. The va- 
lidity period of each END is the interval between the time 
of issue and the time that the issuer requires it to expire. 
The time of issue is recorded as a time stamp with the 
END. 

[0041] As indicated above, each document carrier 
must be tamper resistant, with a limited functionality. It 
could take the form of a specially designed chip card, or 
an enhanced work station. The digital signature could 
typically be stored in an EEPROM, or some sufficiently 
protected memory. 

[0042] The Trusted Third Party (TTP) has its own pub- 
lic-secret key pair, of which the public key P is installed 
on each document carrier Further, a certificate, consist- 
ing of a digital signature of the device number No (D-C) 
and of the public key of the document carrier, is installed 
on the document carrier, for each of its public key pairs. 
[0043] In the case of bank cheques for example, an 
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electronic "water mark" is added to each END upon cre- 
ation. 

[0044] Normally, the document carrier upon which the 
•END is issued has the electronic watermark stored on 
it, for addition to the END upon issue. 
[0045] In the detailed description which follows of the 
issue and negotiation of an END, reference is made to 
the hash value of data. This refers to a technique de- 
scribed for example in ISO/lEC IS 10118, 'Information 
Technology-Security Techniques-Hash Functions". The 
hash function is a representative abbreviation of the 
original data, and it is used where the hardware dictates 
economy in the use of storage space. For example, chip 
cards at present are unable to store much data, and the 
hash value is used to reduce the amount of encrypted 
data to be stored. 

[0046] Examples of END include electronic cash, in 
which the issuer is called a "Bank", with special equip- 
ment for issuing ENDs; here, the document carriers are 
used for negotiation, not issue. A further example is 
electronic bank cheques, in which each document car- 
rier comes with a watermark of the Trusted Third Party 
(again called the "Bank") and each document carrier 
may be an issuer. A further example Is the bill of lading, 
which is similar to the example of bank cheques, but 
need not necessarily have watermarks. The same ap- 
plies to bills of exchange. 

[0047] Various back-up procedures are possible in 
any instance, and the TTP involved will then have a copy 
of the keys of the document carriers. As the buyer al- 
ways receives the END encrypted under the public key 
of the device, it will keep copies of the received encrypt- 
ed information for later recovery by means of the TTP. 
Thus the negotiation can be recovered later once de- 
cryption becomes possible. Alternatively, each docu- 
ment carrier is formed with a duplicate, complete with 
the unique public-secret key pair (S), certificate and de- 
vice number; the device number identifies the device 
which is being backed up by the duplicate. One possi- 
bility for this is to have one chip card with two chips, but 
a more secure solution is to have two independent chip 
cards or other work stations. Whenever a negotiation 
takes place, the protocol is duplicated with the backup 
document carrier. If the primary document carrier should 
break down, the back up is authorized to sell to the is- 
suer after the expiration time of the END'S which could 
not be negotiated. In this case, the TTP needs only to 
keep a copy of the back up device secret key. 
[0048] A preferred feature for electronic bank 
cheques is the so-called "splitting" of a purchased 
cheque. A purchased cheque may be split into two by 
means of two digital signatures by the buyer. The doc- 
ument carrier verifies that the total amount of the two 
split parts adds up to the amount of the original. A digital 
signature is generated by the document carrier and the 
two separate parts can then be negotiated individually. 
Subsequently, buyers will have to authenticate not only 
the issuing signature but also the splitting signature. 



[0049] The split is performed in the following manner: 
the original EN D, as represented in the document carrier 
of the current owner, may be split into two or several 
numbered versions, the sum of their values adding up 

5 to the value of the original. A split versbn consists of the 
original, together with some information such as its val- 
ue and sequence number, and this is signed with the 
secret key of the document carrier. If the document car- 
rier has the status of an issuer, the original issuing sig- 

10 nature may be deleted to save space. 

[0050] Any END could be split, even for example a bill 
of lading, in which case the information could include 
attributes such as quantities of goods as well as, or in- 
stead of, monetary value. An oil cargo for example could 

15 be divided, and the electronic bill of lading split accord- 
ingly. 

[0051] With reference now to Figure 1 , an END is is- 
sued on a document carrier D-Cj. The content of an END 
is generated freely in an unprotected environment by 

20 any issuer, and the certificate of the issuer is contained 
in the END together with a time stamp indicating the time 
of issue. A hash value hi of fixed bit length is created 
from the certificated END plus the time stamp, and this 
is provided as an input to the document carrier. 

25 [0052] In the example of bank cheques given in the 
Annex "Mandate - final report", the document carrier is 
initialised by one or more banks. The banks personalise 
the D-C for the user by recording the user's account 
number etc. and enabling the user to issue a specific 

30 number of electronic cheques drawn on that account - 
these are ENI's (electronic negotiable instruments). The 
same D-C can be initialised by several banks for respec- 
tive accounts, and it is an "electronic cheque book". 
[0053] To create an ENI, the user puts his D-C into a 

35 smart-card reader connected to his PC. and he fills in 
details such as value, payee, period of validity, which 
appear as blank spaces on his PC screen, adjacent the 
bank details which appear automatically. The user 
transfers the message or a hash value of it onto his D- 

40 C where it is signed, 

[0054] At the initiation of the user, therefore, the doc- 
ument carrier performs certain functions which are be- 
yond the control of the user. Specifically, the document 
carrier adds its device number D(j). which is in one-to- 

45 one correspondence with the public key of the device 
used for verification of digital signatures generated by 
the device. This device number could form part of the 
certificate, or it could be for example the upper bits of 
the public key after the most significant 1 . The document 

50 carrier then appends the sequential serial number S(i) 
for the END. In the case of the END being bank cheques, 
or if othenwise required, the document carrier also ap- 
pends the watermark WM, which is a bit sequence iden- 
tifying a certain party such as a bank. 

55 [0055] The concatenation of this data is then, if nec- 
essary, hashed to produce a hash value h2. The data or 
the hash value of the data are then signed by the secret 
key of the document carrier, to produce Sj(h2). This 



9 



EP 0 808 535 B1 



10 



signed value is stored adjacent to the other concatenat- 
ed data. Next, the document carrier appends to this data 
the value of a serial counter, set to zero; and the value 
of a one bit flag, set to one, indicative of whether the 
END is currently negotiable (value 1) or non negotiable 
(value 0) from the particular document carrier. 
[0056] The END has thereby been issued, and made 
ready for negotiation with another document carrier cer- 
tified as being part of the system. 
[0057] The negotiation of this END originating from 
document carrier D-Cj, between a seller document car- 
rier D-C;^ and a buyer document carrier D-Cb will now 
be described with reference to Figure 2. 
[0058] The negotiation involves the seller and the 
buyer, and may involve a TTP as well, but for tracing 
only. The seller, which may possess many different 
ENDS, decides to sell this particular END to the buyer 
Br. The seller first authenticates the buyer, in Stage 1 , 
by receiving from it the certificate Cg, corresponding to 
the unique public key Pb of the document D-Cb- It is 
transmitted over a public channel in an open environ- 
ment. 

[0059] The program on the seller's document carrier 
D-C;^ checks, in Stage 2, whether the certificate Cg is 
authenticated, and aborts the negotiation if not. It then 
extracts the public key Pb for future encryption. The sell- 
er identifies the negotiability status flag of the particular 
END it wishes to sell, accessing it, in Stage 3. with the 
device number D(j) and the END serial number S(i). It 
then checks in Stage 4 that the flag is 1 , and if not it 
aborts the negotiation. If the END is shown to be nego- 
tiable, then further action is not denied, and the full END 
record or message M is encrypted by means of the pub- 
lic key Pb, and sent over the public channel to the buyer. 
[0060] To ensure that the seller cannot repeat the ne- 
gotiation of the same END, the negotiability status flag 
is set to zero, in Stage 6. 

[0061 ] On receipt of the encrypted message or cipher- 
text C corresponding to message M, the buyer decrypts 
the information using its own secret key Sb: this provides 
the original message M=Sb(C). The buyer also requests 
and receives, in Stage 6, the certificate of the issuer Cer 
(D-Cj), and the hash value of the original content of the 
END, and in Stages 7 and 8 it decrypts the message M 
from the ciphertext C, and it verifies the signature Sj(h2) 
and the device number D(j) of the issuer If verification 
should fail, the buyer informs the issuer and ceases ne- 
gotiation. 

[0062] The buyer then checks the timestamp T of the 
END. and informs the Issuer and aborts the negotiation 
if the timestamp indicates expiration of validity of the 
END. 

[0063] The buyer then returns to the seller, through 
the same open channel, an acknowledgement in the 
form of a digital signature on the concatenation of the 
serial number of the END, the generating signature and 
the counter. It is accompanied by its own certificate Cb- 
A copy may also be returned to the issuer for tracing 



purposes. 

[0064] The seller D-Cb verifies the acknowledgment 
and then outputs the result for information to the seller. 
The same thing happens at the issuer, if applicable. 

5 [0065] In Stage 10, the received information, i.e. the 
hash value of the content of the END. the device number 
of the generating END, the serial number of the END, 
the generating signature and the counter, which is in- 
cremented by 1 in Stage 11, is then stored in a new 

10 record. It is important to increment the counter, so that 
each document carrier can recognize that the END has 
undergone a further negotiation, allowing it to return to 
a previous document carrier. 

[0066] The negotiability status flag is then set to 1 , to 
IS indicate that this END, with this particular counter, has 
become negotiable. 

[0067] After a number of negotiations, the END will be 
presented to the issuer for settlement, whether it is a 
cheque or cash or whatever. The settlement involves 
20 electronic tracing effectively in the reverse direction 
back to the original issue. 

[0068] Whilst a specific example has been given to 
illustrate the different inventions claimed in the following 
claims, it will be appreciated that the objects of the in- 

25 vention can be realized in different forms, using different 
software or different hardware. The various different 
features which have been described in this specification 
are not all essential, but we claim separate inventions 
in all possible combinations of such features, within the 

30 scope of the claims. For example, although the method 
*of issuing an ENDand then negotiating that END from 
the issuing document carrier to a buying document car- 
rier is not claimed separately, this is intended to be a 
separate invention. Further, features such as the ability 

35 to recover from failure, although not claimed specifically, 
are intended to constitute an invention when combined 
with other features which are claimed specifically. 



40 Claims 

1. A method of issuing an electronic negotiable docu- 
ment (END) comprising: creating as data (DOC 1 ) 
an END and storing this in a tamper-resistant doc- 

45 ument carrier (A), the document carrier containing 
a unique public-secret key pair (S) for signing and 
verifying and a unique document carrier identifier D 
(j); signing the unique document-carrier identifier, 
the END and an END identifier (S(i)) using the se- 

50 cret key of the public-secret key pair and storing the 
result in the document carrier. 

2. A method according to claim 1 of issuing an END, 
further comprising generating a time stamp (T) rep- 

55 resenting the time of issue and storing this with the 
END in the tamper-resistant document carrier be- 
fore the encryption step. 
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3. A method according to claim 1 or 2 of issuing an 
END. including the step of calculating a hash value 
(hi) of the END and/or the time stamp value and 
storing this hash value instead of the full END in the 
tamper-resistant document carrier, before the said 
encryption step. 

4. A method according to any preceding claim of issu- 
ing an END, in which the document carrier identifier 
(D(j)) is a device number, and the END identifier is 
a serial number (S(i)). 

5. A method according to any preceding claim of issu- 
ing an END, in which the END identifier is supple- 
mented with data representing a water mark (WM) 
unique to the issuer 

6. A method according to any preceding claim of issu- 
ing an END, comprising the step of calculating a 
hash value (hg) of the data to be encrypted by the 
said secret key. in place of the full data. 

7. A method according to any preceding claim of issu- 
ing an END. in which the document carrier stores a 
negotiability status flag (FLAG) indicative of wheth- 
er the END stored therein is negotiable or non-ne- 
gotiable, and including the step of setting the flag to 
"negotiable" after the result of the encryption has 
been stored in the document carrier. 

8. A method according to any preceding claim of issu- 
ing an END, in which the document carrier includes 
a counter (COUNTER) for counting a serial number, 
indicative of the number of times that the END has 
been negotiated since issue, and comparing the 
step of setting the counter to zero after the result of 
the encryption has been stored in the document car- 
rier 

9. A tamper-resistant document carrier adapted to 
store an END, the document carrier containing a 
unique public-secret key pair (S) for signing and 
verifying and a unique document carrier identifier D 
(j); means for encrypting the unique document-car- 
rier identifier the END and an END identifier (S(i)) 
using the secret key of the public-secret key pair 
and means for storing the result in a memory of the 
document carrier 

10. A document carrier according to claim 9, in which 
the memory includes a negotiability status flag 
(FLAG) capable of being set either to "negotiable" 
or "non-negotiable". 

11 . A document carrier according to claim 9 or claim 1 0, 
in which the memory includes a counter (COUN- 
TER) for storing a serial number representative of 
the number of times the END has been negotiated. 



12. A method of negotiating an END between a seller 
and a buyer each possessing a tamper-resistant 
document carrier (A; B) having its own public-secret 
key pair (P^, S^; Pb. Sg), in which the END is stored 

5 in the seller's document carrier (A) in the form of 
END data (DOC 1 ). and the signature generated by 
the secret signing-key of a document carrier of the 
issuer of the END, together with a negotiability sta- 
tus flag (FL^G) indicative of whether the END is cur- 
rently negotiable from the document carrier on 
which it is stored, comprising establishing mutual 
recognition between the seller and buyer using a 
predetermined protocol between the respective 
document carriers, verifying (Fig.3, step 4) in the 
seller's document carrier that the negotiability sta- 
tus flag is "negotiable" and aborting the negotiation 
if not, sending the public encryption key of the buy- 
er's document carrier to the seller's document car- 
rier and using it to encrypt (Fig. 3, step 5) the mes- 
sage comprising the END together with the negoti- 
abilty status flag, sending that encrypted message 
to the buyer, decrypting (Fig. 3, step 7) that mes- 
sage using the buyer's secret decryption key, and 
setting (Fig. 3, steps 11 and 6) the negotiability flag 
for that END of the buyer's and the seller's docu- 
ment carriers respectively to "negotiable" and "non- 
negotiable". 

13. A method of negotiating an END between a seller 
and a buyer each possessing a tamper-resistant 
document carrier (A; B) having its own public-secret 
key pair (P;^, S^; Pb. Sb), in which the END is stored 
in the seller's document carrier (A) in the form of 
END data (DOC 1 ), and the signature generated by 
the secret signing key of a document carrier of the 
issuer of the END, together with a serial number 
counter (COUNTER) indicative of the number of 
times that the END has been negotiated since is- 
sue, comprising establishing mutual recognition be- 
tween seller and buyer using a predetermined pro- 
tocol between their respective document carriers, 
verifying in the seller's document carrier that the 
END, if it has been stored previously in that docu- 
ment carrier has a different counter value this time 
and is therefore negotiable, but aborting the nego- 
tiation if it is not negotiable, sending (Fig. 3, step 1 ) 
the public encryption key of the buyer's document 
carrier to the seller's document carrier and using it 
to encrypt (Fig. 3, step 5) the message comprising 
the END together with the counter sending that en- 
crypted message to the buyer decrypting (Fig. 3. 
step 7) that message using the buyer's secret de- 
cryption key, and incrementing the counter by one 
(Fig. 3, step 11). 

1 4. A method according to claim 1 2 or claim 1 3, in which 
each document carrier is installed originally with a 
certificate comprising a digital signature of its 



15 



20 



25 



30 



35 



40 



45 



SO 



13 



EP 0 808 535 B1 



14 



unique identifier (D(j)) and of its public key (P^. Pb)- 

15. A nnethod according to claim 14, in which the certif- 
icate unique to the document carrier on which the 
END was originally issued is stored with the END in 
the seller's document carrier. 

16. A method as claimed in claim 14 or 15, in which the 
certificate of the buyer's document carrier is sent 
(Fig. 3, step 1) to the seller's document carrier in 
which it is authenticated and the negotiation is 
aborted if authentication fails. 

17. A method according the any of claims 12 to 16, in 
which the buyer's document carrier, after decrypting 
the message using the secret key, verifies the sig- 
nature of the issuer on the END, and informs the 
issuer in the event that authentication fails. 

18. A method according to any of claims 1 todof issuing 
an END on a document-carrier followed by a meth- 
od of negotiating the END as claimed in any of 
claims 12 to 17. 

19. A method according to claim 18 as appendant to 
claim 2, in which the buyer's document carrier (B), 
after decrypting the message with its secret key 
(Sg). verifies (Fig.3, step 9) that the END is still valid 
by taking its time stamp (T), and, if it has expired, 
informs the issuer of this, and aborts the negotiation 
before incrementing the counter or setting the ne- 
gotiation status flag. 

20. A method according to any of the claims 12 to 19 
including recovering the negotiation of an END 
which has previously broken down, by providing the 
buyer's document-carrier with the necessary secret 
key which has been reproduced by the issuer or by 
a trusted third party. 

21. A method according to any of Claims 12 to 19 in- 
cluding recovering an END lost from a primary doc- 
ument-carrier, by activating a back-up document- 
carrier which has previously been provided with 
back-up data reproduced from the. primary docu- 
ment-carrier. 

22. A method according to Claim 20 or 21 , comprising 
inhibiting the recovery until the expiry of the prede- 
termined period of validity of the END. 

23. A method of negotiating an END, sold by a seller to 
a buyer, in which the buyer splits the END electron- 
ically into two or more parts and then negotiates 
those parts separately to one or more further buy- 
ers. 

24. A method according to claim 23, in which each part 



is subjected to the digital signature of the said buy- 
er's document carrier which effects the splitting. 



5 Patentanspruche 

1 . Verfahren zum Ausgeben eines elektronischen ver- 
handelbaren Dokuments (END) mit den Schritten: 
Erzeugen eines END als Daten (DCX!^ 1) und Spei- 

10 chem desselben in einem falschungssicheren Do- 
kumententrager (A), wobei der Dokumententrager 
ein eindeutiges, vor der Offentlichkeit geheimes 
Schlusselpaar (S) zum Unterzeichnen und Uber- 
prufen und einen eindeutigen Dokumententrager- 

is bezeichner (D(j)) enthatt; 

Unterzeichnen des eindeutigen Dokumenten- 
tragerbezeichners, des END und eines END- 
Bezeichners (S(i)) unter Verwendung des ge- 
20 heimen Schlussels des vor der Offentlichkeit 

geheimen Schlusselpaares; und 

Speichern des Ergebnisses im Dokumenten- 
trager. 

25 

2. Verfahren nach Anspruch 1 zum Ausgeben eines 
END, ferner mit den Schritten: Erzeugen eines Zeit- 
stempels (T), der die Ausgabezeit darstellt, und 
Speichem desselben mit dem END in einem fal- 

30 schungssicheren Dokumententrager vor dem Ver- 
schlusselungsschritt. 

3. Verfahren nach Anspruch 1 oder 2 zum Ausgeben 
eines END mit den Schritten: Berechnen eines 

35 Hash-Wertes (h^ ) des END und/oder des Zeitstem- 
pelwertes und Speichern dieses Hash-Wertes an- 
stelle des vollen END in einem falschungssicheren 
Dokumententrager vor dem Verschlusselungs- 
schritt. 

40 

4. Verfahren nach einem der vorhergehenden Anspru- 
che zum Ausgeben eines END, in dem der Doku- 
mententragerbezeichner (D(j)) eine Vorrichtungs- 
nummer ist und der END-Bezeichner eine Serien- 

45 nummer (S(i)) ist. 

5. Verfahren nach einem der vorhergehenden Anspru- 
che zum Ausgeben eines END, wobei der END-Be- 
zeichner mit Daten erganzt wird, die ein Wasserzei- 

50 Chen (WM) darstellen, das fur den Herausgeber 
etndeutig ist. 

6. Verfahren nach einem der vorhergehenden Anspru- 
che zum Ausgeben eines END, mit dem Schritt: Be- 

55 rechnen eines Hash-Wertes (hg) der mit dem gehei- 
men Schlussel zu verschlusselnden Daten anstelle 
der vollen Daten. ^ 
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7. Verfahren nach einem der vorhergehenden Anspru- 
che zum Ausgeben eines END, wobei der Doku- 
mententrager ein Verhandiungsstatusflag (FLAG) 
speichert, das anzeigt, ob das in ihm gespeicherte 
END verhandelbar oder nicht verhandelbar ist, und 
mit dem Schritt: Setzen des Flags auf Verhandel- 
bar", nachdem das Ergebnis der Verschlusselung 
im Dokumententrager gespeichert worden ist. 

8. Verfahren nach einem der vorhergehenden Anspru- 
che zum Ausgeben eines END, wobei der Doku- 
mententrager einen Zahler (COUNTER) zum Zah- 
len einer Seriennummer aufweist, der anzeigt, wie 
oft das END seit der Ausgabe verhandelt worden 
ist, und Vergleichen des Schrittes des Setzens des 
Zahlers auf null, nachdem das Ergebnis der Ver- 
schlusselung im Dokumententrager gespeichert 
worden ist. 

9. Falschungssicherer Dokumententrager, der geeig- 
net ist, ein END zu speichem, wobei der Dokumen- 
tentrager enthalt: ein eindeutiges, vor der Offent- 
lichkeit geheimes Schlusselpaar (S) zum Unter- 
zeichnen und Uberprufen und einen eindeutigen 
Dokumententragerbezeichner (D(j)); eine Einrich- 
tung zum VerschlOsseIn des eindeutigen Dokumen- 
tentragerbezeichners, des END und eines END-Be- 
zeichners (S(i)) unter Verwendung des geheimen 
Schlussels des vor der Offentlichkeit geheimen 
Schlusselpaares und eine Einrichtung zum Spei- 
chern des Ergebnisses in einem Speicher des Do- 
kumententragers. 

10. Dokumententrager nach Anspruch 9, wobei der 
Speicher ein Verhandelbarkeitsstatusflag (FLAG) 
aufweist, das entweder auf "verhandelbar" oder 
"nicht verhandelbar" gesetzt werden kann. 

1 1 . Dokumententrager nach Anspruch 9 oder 1 0, wobei 
der Speicher einen Zahler (COUNTER) zum Spei- 
chem einer Seriennummer aufweist, wie oft das 
END verhandelt worden ist. 

12. Verfahren zum Verhandein eines END zwischen ei- 
nem Verkaufer und einem Kauf er, die jeweils einen 
falschungssicheren Dokumententrager (A; B) besit- 
zen, der sein eigenes, vor der Offentlichkeit gehei- 
mes Schlusselpaar (P^^, S;^; Pg, Sq) aufweist, wobei 
das END im Dokumententrager des Verkaufers (A) 
in Form von END-Daten (DOC 1) gespeichert ist, 
und die Unterschrift, die von dem geheimen Unter- 
zeichnungsschlussel eines Dokumententragers 
des Herausgebers des END erzeugt wird, zusam- 
men mit einem Verhandelbarkeitsstatusflag 
(FLAG), das anzeigt, ob das END gegenwartig vom 
Dokumententrager, auf dem es gespeichert ist, ver- 
handelbar ist, mit den Schritten; Herstellen gegen- 
seitiger Anerkennung zwischen dem Verkaufer und 



dem Kaufer unter Venwendung eines vorbestimm- 
ten Protokolls zwischen den jeweiligen Dokumen- 
tentragern. Uberprufen (Fig. 3, Schritt 4) im Doku- 
mententrager des Verkaufers, ob das Verhandel- 

s barkeitsstatusflag "verhandelbar" ist, und Abbre- 
chen der Verhandlung, wenn nicht, Senden des 6f- 
fentlichen Verschlusselungsschlussels des Doku- 
mententragers des Kauf ers an den Dokumententra- 
ger des Verkaufers und Venwenden desselben, um 

10 die Nachricht zu verschlussein (Fig. 3, Schritt 5), die 
das END zusammen mit dem Verhandelbarkeits- 
statusflag aufweist, und Senden dieser verschlus- 
selten Nachricht an den Kaufer, Entschlussein (Fig. 
3, Schritt 7) dieser Nachricht unter Venwendung des 

IS geheimen Verschlusselungsschlussels der Kaufers 
und Setzen (Fig. 3, Schritte 11 und 6) des Verhan- 
delbarkeitsflags fur dieses END der Dokumenten- 
trager des Kaufers und des Verkaufers auf "verhan- 
delbar" bzw. "nicht verhandelbar". 

20 

13. Verfahren zum Verhandein eines END zwischen ei- 
nem Verkaufer und einem Kaufer, die jeweils einen 
falschungssicheren Dokumententrager (A; B) besit- 
zen, der sein eigenes, vor der Offentlichkeit gehei- 

25 mes Schlusselpaar (P^, S^; Pb. Sg) aufweist, wobei 
das END im Dokumententrager des Verkaufers (A) 
in Form von END-Daten (DOC 1) gespeichert ist, 
und die Unterschrift, die von dem geheimen Unter- 
zeichnungsschlussel eines Dokumententragers 

30 des Herausgebers des END erzeugt wird, zusam- 
men mit dem Seriennummernzahler (COUNTER), 
der anzeigt, wie oft das END seit der Herausgabe 
verhandelt worden ist, mit den Schritten: Herstellen 
gegenseitiger Anerkennung zwischen Verkaufer 

35 und Kaufer unter Verwendung eines bestimmten 
Protokolls zwischen deren jeweiligen Dokumenten- 
tragern, Uberprufen im Dokumententrager des Ver- 
kaufers, ob das END, wenn es vorher in diesem Do- 
kumententrager gespeichert worden ist, diesmal ei- 

40 nen anderen Zahlenwert hat und deshalb verhan- 
delbar ist, jedoch Abbrechen der Verhandlung, 
wenn es nicht verhandelbar ist, Senden (Fig. 3, 
Schritt 1) des offentlichen Verschlusselungsschlus- 
sels des Dokumententragers des Kaufers an den 

45 Dokumententrager des Verkaufers und Verwenden 
desselben, um die Nachricht zu verschlussein (Fig. 
3, Schritt 5), die das END aufweist, zusammen mit 
dem Zahler, Senden dieser verschlusselten Nach- 
richt an den Kaufer, Entschlussein (Fig. 3. Schritt 7) 

50 dieser Nachricht unter Verwendung des geheimen 
Verschlusselungsschlussels des Kaufers und In- 
krementieren des Zahlers um eins (Fig. 3, Schritt 
11). 

55 14. Verfahren nach Anspruch 12 oder 13, wobei jeder 
Dokumententrager ursprunglich mit einem Zertifi- 
kat installiert ist, das eine digitale Unterschrift sei- 
nes eindeutigen Bezeichners (D(j)) oder seines of- 
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fentlichen Schlussels (P^, Pb) aufweist. 

15. Verfahren nach Anspruch 14, wobei das Zertifikat, 
das fur den Dokumententrager eindeutig ist. auf 
dem das END ursprunglich ausgegeben wurde, mit 
dem END im Dokumententrager des Verkauf ers ge- 
speichert wurde. 

16. Verfahren nach Anspruch 14 oder 15, wobei das 
Zertifikat des Dokumententragers des Kaufers an 
den Dokumententrager des Verkaufers gesendet 
wird (Fig. 3, Schritt 1 ), in dem es authentifiziert wird. 
und die Verhandlung abgebrochen wird, wenn die 
Authentifizierung nicht erfolgreich ist. 

17. Verfahren nach einem der Anspruche 1 2 bis 16, wo- 
bei der Dokumententrager des Kaufers. nachdem 
die Nachricht unter Verwendung des geheimen 
Schlussels entschlusselt worden ist, die Unter- 
schrift des Herausgebers auf dem END bestatigt 
und den Herausgeber in dem Fall, wo die Authen- 
tifizierung nicht erfolgreich ist, informiert. 

18. Verfahren nach einem der Anspruche 1 bis 8 zum 
Ausgeben eines END auf einem Dokumententra- 
ger, gefolgt von einem Verfahren zum Verhandein 
des END nach einem der Anspruche 12 bis 17. 

19. Verfahren nach Anspruch 18 als Zusatz von An- 
spruch 2, wobei der Dokumententrager des Kaufers 
(B) nach der Entschlusselung der Nachricht mit sei- 
nem geheimen Schlussel (Sb) uberpruft (Fig. 3, 
Schritt 9), ob das END noch gultig ist, indem sein 
Zeitstempel (T) herangezogen wird. und wenn er 
abgelaufen ist, den Herausgeber daruber informiert 
und die Verhandlung abbricht, bevor der Zahler in- 
krementiert oder das Verhandlungsstatusflag ge- 
setzt wird. 

20. Verfahren nach einem der Anspruche 12 bis 19 mit 
dem Schritt: Wiederaufnehmen der Verhandlung ei- 
nes END, die vorher abgebrochen worden ist, durch 
Bereitstellung des Dokumententragers des Verkau- 
fers mit einem notwendigen Geheimschlussel, der 
vom Herausgeber oder von einer betrauten dritten 
Partei reproduziert worden ist. 

21. Verfahren nach Anspruch 12 bis 19, mit den Schrit- 
ten: Wiedergewinnen des END, das aus einem pri- 
maren Dokumententrager verlorengegangen ist, 
durch Aktivieren eines Sicherungsdokumententra- 
gers, der vorher mit Sicherungsdaten bereitgestellt 
worden ist, die aus dem primaren Datentrager re- 
produziert worden sind. 

22. Verfahren nach Anspruch 20 oder 21, mit dem 
Schritt: Sperren der Wiedergewinnung bis zum Ab- 
laut der vorbestimmten Guitigkeitsperiode des 



18 
END. 

23. Verfahren zum Verhandein eines END, das von ei- 
nem Verkauf er an einen Kauferverkauft worden ist. 

5 wobei der Kaufer das END elektronisch in zwei oder 
mehr Teile teilt und diese Teile dann getrennt an ei- 
nen Oder mehrere weitere Kaufer ubertragt. 

24. Verfahren nach Anspruch 23, wobei jedes Teil von 
10 einer digrtalen Unterschrift des Dokumententragers 

des Kaufers. der die Teilung bewirkt, abhangig ist. 



Revendications 

15 

1. Proced6 de d^livrance d'un document n6gociable 
§lectronique (END) comprenant: 

la creation en tant que donnees (DOC 1 ) d'un 
20 END et son stockage dans un support de do- 

cument resistant k la falsification (A), le support 
de document contenant une unique paire de 
cl^s publique-secr^te (S) pour ta signature et 
la verification et un unique identificateur de 
2S support de document (D(j)); 

ta signature de I'unique identificateur de sup- 
port de document, de TEND et d'un identifica- 
teur d'END (S(i)) en utilisant la cl6 secrfete de 
30 la paire de cl6s publique-secr^te: et 

le stockage du r6sultat dans le support de do- 
cument. 

35 2. Proc6d§ selon la revendication 1 de d6livrance d'un 
END, comprenant en outre: 

la g6n6ration d'un timbre temporel (T) qui re- 
pr^sente I'instant de d6livrance et son stockage 
40 avec TEND dans le support de document resis- 

tant ^ la falsification avant I'^tape de cryptage. 

3. Proc§d§ selon la revendication 1 ou 2 de d§livrance 
d'un END, incluant r§tape de calcul d'une valeur de 

45 controle (hachage) (h^) de TEND et/ou de la valeur 
de timbre temporel et de stockage de cette valeur 
de controle en lieu et place de TEND complet dans 
le support de document resistant a la falsification 
avant ladite 6tape de cryptage. 

50 

4. Proc§d6 selon I'une quelconque des revendications 
pr§c§dentes de d6livrance d'un END, dans lequel 
I'identificateur de support de document (D(j)) est un 
num6ro de dispositif et I'identificateur d'END est un 

ss num6ro de s6rie (S(i)). 

5. Proc6d6 selon I'une quelconque des revendications 
pr6c6dentes de delivrance d'un END. dans lequel 
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ridentificateur d'END est complete par des donnees 
qui representent un filigrane (WM) unique pour Ten- 
tit^ de delivrance. 

6. Proc6d6 selon Tune quelconque des revendicatlons 5 
precedentes de d^livrance d'un END. comprenant 
l'6tape de calcul d'une valeur de controte (h2) des 
donnees k crypter au moyen de ladite cl6 secrete 
en lieu et place des donnees completes. 

7. Proc6d§ selon I'une quelconque des revendications 
pr6cedentes de d6livrance d'un END, dans lequel 
le support de docunnent stocke un indlcateur d'etat 
de possibility de n^gociation (FLAG) indicatif de si 
i'END stocky dedans est n^gociable ou non nego- 
ciable et incluant I'etape d'etablissement de I'indi- 
cateur k 'nygoclable' aprds que le resuttat du cryp- 
tage a 6X§ stocke dans le support de document. 

8. Proc6d6 selon I'une quelconque des revendications 
precedentes de d^livrance d'un END. dans lequel 
le support de document inclut un compteur (COUN- 
TER) pour compter un num6ro de s6rie, qui est in- 
dicatif du nombre de fois ou TEND a 6\6 n^gocie 
depuis sa d^livrance et la comparaison de I'etape 
d'etablissement du compteur k zero aprds que le 
resultat du cryptage a ete stocke dans le support de 
document. 

9. Support de document resistant k la falsification 
adapte pour stocker un END, le support de docu- 
ment contenant une unique paire de cies publique- 
secrete (S) pour la signature et la verification et un 
unique identificateurde support de document (D(j)); 
des moyens pour crypter I'unique identificateur de 
support de document, TEND et un identificateur 
d'END (S(i)) en utilisant la cie secrete de la paire de 
cies publique-secrete et des moyens pour stocker 
le resultat dans une memoire du support de docu- 
ment. 

10. Support de document selon la revendication 9, 
dans lequel la memoire inclut un indicateur d'etat 
de possibilite de negociation (FLAG) qui peut etre 
etabli soit k 'negociable', soit k 'non negociable'. 

11. Support de document selon la revendication 9 ou 
10, dans lequel la memoire inclut un compteur 
(COUNTER) pour stocker un num6ro de serie re- 
presentatif du nombre de fois ou TEND a ete nego- 
cie. 

12. Procede de negociation d'un END entre un vendeur 
et un acheteur dont chacun possede un support de 
document resistant k la falsification (A; B) compor- 
tant sa propre paire de cies publique-secrete (P;^, 
^A' ^^B' ^b)> dans lequel TEND est stocke dans le 
support de document de vendeur (A) sous la forme 



constituee par des donnees d'END (DOC 1). et la 
signature generee au moyen de la cie de signature 
secrete d'un support de document de I'entite de de- 
livrance de TEND, en association avec un indicateur 
d'etat de possibilite de negociation (FLAG) indicatif 
de si oui ou non TEND est presentement negociable 
en provenance du support de document sur lequel 
il est stocke, comprenant I'etablissement d'une re- 
connaissance mutuelle entre le vendeur et I'ache- 
teur en utilisant un protocole predetermine entre les 
supports de document respectifs, la verification (fi- 
gure 3, etape 4) dans le support de document de 
vendeur du fait que I'indicateur d'etat de possibilite 
de negociation est k 'negociable' et I'abandon de la 
negociation si ce n'est pas le cas, renvoi de la cie 
de cryptage publique du support de document 
d'acheteur au support de document de vendeur et 
son utilisation pour crypter (figure 3, etape 5) le 
message constitue par TEND en association avec 
I'indicateur d'etat de possibilite de negociation, ren- 
voi de ce message crypte k I'acheteur. le decrypta- 
ge (figure 3. etape 7) de ce message en utilisant la 
cie de decryptage secrete d'acheteur et I'etablisse- 
ment (figure 3, etapes 1 1 et 6) de I'indicateur de pos- 
sibilite de negociation pour ce E ND des supports de 
documents d'acheteur et de vendeur respective- 
ment k 'negociable' et k 'non negociable'. 

13. Procede de negociation d'un END entre un vendeur 
et un acheteur dont chacun possede un support de 
document resistant k la falsification (A; B) compor- 
tant sa propre paire de cies publique-secrete (P/^, 
S^ Pg, Sg), dans lequel TEND est stocke dans le 
support de document de vendeur (A) sous la forme 
constituee par des donnees d'END (DOC 1), et la 
signature generee au moyen de la cie de signature 
secrete d'un support de document de I'entite de de- 
livrance de TEND, en association avec un compteur 
de numero de serie (COUNTER) indicatif du nom- 
bre de fois ou TEND a ete negocie depuis sa deii- 
vrance, comprenant I'etablissement d'une recon- 
naissance mutuelle entre le vendeur et I'acheteur 
en utilisant un protocole predetermine entre leurs 
supports de document respectifs, la verification 
dans le support de document de vendeur du fait que 
TEND, s'il a ete stocke prealablement dans ce sup- 
port de document, presente une valeur de compteur 
differente k cet Instant et est par consequent nego- 
ciable. mais I'abandon de la negociation s'il n'est 
pas negociable, renvoi (figure 3, etape 1) de la cie 
de cryptage publique du support de document 
d'acheteur au support de document de vendeur et 
son utilisation pour crypter (figure 3. etape 5) le 
message constitue par TEND en association avec 
le compteur, I'envol de ce message crypte k I'ache- 
teur, le decryptage (figure 3. etape 7) de ce messa- 
ge en utilisant la cie de decryptage secrete d'ache- 
teur et I'incrementation du compteur d'une unite (fi- 
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gure 3. 6tape 11). 

14. Proc6d6 salon la revendication 12 ou 13. dans le- 
quel chaque support de document est constitu6 oh- 
ginellement avec un certificat comprenant une si- 
gnature num^rique de son unique identrficateur (D 
(j)) et de sa cl6 publique (P/^, Pg), 

15. Proc§d6 selon la revendication 14, dans lequel le 
certificat unique pour le support de document sur la 
base duquel t'END a §16 d6livr6 origineilement est 
stocks avec TEND dans le support de document de 
vendeur. 

16. Proc§de selon la revendication 14 ou 15, dans le- 
quel le certificat du support de document d'acheteur 
est envoy6 (figure 3, 6tape 1) au support de docu- 
ment de vendeur ou il est authentifi6 et la n§gocia- 
tion est abandonnee si Tauthentification est en 
echec. 

1 7. Proc6d6 selon I'une quelconque des revendications 
12^16, dans lequel le support de document d'ache- 
teur, apr^s d^cryptage du message en utilisant la 
c\6 secrete, verifier la signature de I'entit^ de dSli- 
vrance sur i'END et informe I'entit^ de d6livrance 
dans I'eventualite ou rauthentiflcatton est en 6chec. 



22. Proc6d§ selon la revendication 20 ou 21. compre- 
nant rinhibition de la reprise jusqu'd I'expiration de 
la p^riode da validity pr^d^terminSe de TEND. 

5 23. Proced6 de n6gociation d'un END, vendu par un 
vendeur k un acheteur, dans lequel I'acheteur s6- 
pare t'END electroniquement en deux parties ou 
plus puis n^gocie ces parties separ^ment avec un 
ou plusieurs autres acheteurs. 

24. Proc6d6 selon la revendication 23, dans lequel cha- 
que partie est soumise k !a signature num§rique du- 
dit support de document d'acheteur qui effectue la 
separation. 

15 



20 



25 



1 8. Proc6de selon Tune quelconque des revendications 
1 ^ 6 de deiivrance d'un END dans un support de 
document suivi par un procede de negociation de 
TEND selon I'une quelconque des revendications 
12^17. 



19. Procede selon la revendication 18 lorsqu'elle d§- 55 
pend de la revendication 2, dans lequel le support 

de document d'acheteur (B), apr^s d6cryptage du 
message h I'aide de sa cl6 secrete (Sg). v6rifie (fi- 
gure 3, 6tape 9) que TEND est toujours valide en 
consultant son timbre temporel (T) et si celui-ci est 40 
expire, il informe I'entite de d^livrance de ce fait et 

11 abandonne la negociation avant d'incr6menter le 
compteur ou d'6tablir I'indicateur d'6tat de negocia- 
tion. 

45 

20. Proc6de selon I'une quelconque des revendications 

12 ^ 19, incluant la reprise de la n6gociation d'un 
END qui a ete rompue prealablement en munissant 
le support de document d'acheteur de la cle secrete 
necessaire qui a et6 reproduite par I'entite de deii- so 
vrance ou par une tierce partie mandat6e. 

21 . Procede selon I'une quelconque des revendications 
12^19, incluant la reprise d'un END perdu au ni- 
veau d'un support de document primaire en activant 55 
un support de document de secours qui a ete prea- 
lablement muni de donnees de secours reproduites 

k partir du support de document primaire. 
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